ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 2 Q21-40

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 21 

Which technique is commonly used to evade intrusion detection systems by fragmenting network packets?

A) Packet sniffing
B) IP fragmentation attack
C) DNS poisoning
D) SQL injection

Answer:B) IP fragmentation attack

Explanation:

Packet sniffing refers to the practice of capturing and analyzing network traffic as it traverses a network. While this technique is widely used for both legitimate network diagnostics and unauthorized interception, it does not inherently provide a means to evade intrusion detection systems. Packet sniffing is fundamentally a passive activity; it does not alter or fragment traffic to bypass security mechanisms, nor does it manipulate packets to avoid detection. Instead, it depends entirely on capturing whatever traffic is already accessible over the network, making it unrelated to evasion through fragmentation.

IP fragmentation attack, on the other hand, focuses specifically on bypassing intrusion detection systems by exploiting the way such systems handle fragmented packets. In this attack, an adversary deliberately breaks malicious payloads into multiple small packet fragments. These fragments may be constructed in unusual, overlapping, or incomplete ways that prevent the IDS from properly reassembling them. When the IDS fails to reconstruct the entirety of the original malicious payload, the attack can pass unnoticed. Meanwhile, the target system—often using a different reassembly method—successfully rebuilds the fragmented packets, allowing the harmful data to execute. This difference in packet-handling behavior between the IDS and the target system is at the core of the attack’s success. Fragmentation attacks are widely used in red teaming and advanced penetration testing, as they demonstrate whether an organization’s detection tools are capable of handling unusual or intentionally manipulated packet structures.

DNS poisoning, although a significant security threat, operates by corrupting a system’s DNS cache or manipulating DNS responses to redirect users to malicious destinations. It does not involve packet fragmentation and does not focus on evading IDS visibility through packet manipulation. Instead, it targets name resolution mechanisms.

SQL injection affects databases by inserting malicious SQL queries through poorly validated input fields. This form of attack is entirely separate from packet-level techniques and does not involve manipulating packet structures, fragmentation, or IDS evasion strategies. Its purpose is to exploit web application vulnerabilities to access or manipulate stored data, not to bypass packet-level inspection.

The correct answer is IP fragmentation attack because it specifically manipulates packet structure at the network layer to evade detection tools. By breaking malicious payloads into fragments that an IDS may not reassemble correctly, attackers reduce visibility into their activities. This tactic is well-known for exploiting discrepancies between network devices and security tools, making it one of the most recognized methods for bypassing intrusion detection systems.

Question 22 

Which type of malware hides its presence in the system while allowing an attacker to maintain privileged access?

A) Trojan
B) Rootkit
C) Worm
D) Adware

Answer:B) Rootkit

Explanation: 

A Trojan is a form of malware that disguises itself as legitimate software in order to trick users into installing it. While Trojans can deliver harmful payloads, steal information, or create backdoors, they do not primarily focus on concealing themselves from system monitoring tools. Instead, their defining characteristic is deception at the delivery stage, not stealth after installation. Once the user executes the Trojan, it typically runs its malicious functions openly, unless it also contains other forms of malware designed for concealment.

A rootkit, however, is specifically engineered for stealth and persistence. Rootkits modify system-level components such as kernel modules, drivers, processes, or system registries to make their presence invisible to users and security tools. They can hide files, conceal running processes, intercept system calls, and mask malicious activity. The primary objective of a rootkit is to allow attackers to maintain long-term privileged access without triggering detection tools like antivirus programs, log monitoring systems, or intrusion detection mechanisms. Rootkits often require elevated permissions to install, and once embedded deeply into the system, they are extremely difficult to detect or remove. They form the backbone of many advanced persistent threats, enabling attackers to continuously extract data or manipulate systems while remaining hidden.

A worm differs significantly because it is designed to self-replicate across systems without requiring user interaction. Worms spread by scanning for vulnerable hosts and exploiting network or software weaknesses. While dangerous, worms typically do not focus on stealth; in many cases, their replication behavior generates noticeable network traffic, which can trigger alerts. Worms are about propagation rather than concealment or persistent privileged access.

Adware is relatively benign in comparison. Its purpose is to display advertisements to the user, often in an intrusive or unwanted manner. Adware programs do not attempt to hide their presence, nor do they maintain privileged control over the system. They are frequently bundled with freeware and are more of a nuisance than a covert threat.

Rootkit is the correct answer because it uniquely combines stealth with privileged access. Its core purpose is to conceal attacker activity and embed itself deeply into the system so that malicious actions can continue without detection. Rootkits enable long-term control, making them highly dangerous in targeted attacks and advanced cyber operations.

Question 23 

Which scanning technique can detect open ports without completing the full TCP handshake?

A) SYN scan
B) Full connect scan
C) UDP scan
D) Ping sweep

Answer: A) SYN scan

Explanation: 

A SYN scan operates by exploiting the behavior of the TCP three-way handshake without completing it fully. This technique begins by sending a SYN packet to a target port. If the port is open, the target system responds with a SYN-ACK. Instead of completing the handshake by sending an ACK, the scanning system sends a RST packet, aborting the connection. Because the handshake is never completed, this type of scan is considered stealthier than traditional methods. Network logging tools and intrusion detection systems that monitor full connection attempts are less likely to flag SYN scans, making them ideal for reconnaissance. A closed port, by contrast, will return a RST-ACK, indicating no service is listening. SYN scans are efficient, fast, and commonly used by penetration testers to map network attack surfaces without drawing unnecessary attention.

A full connect scan, in contrast, performs the entire three-way handshake, establishing a complete TCP connection with the target port. This method is more easily detectable because logs on the target system will record the full connection. Although accurate, the full connect scan is less stealthy and more resource-intensive. It is typically used when stealth is not a priority or when the tester aims to confirm results after a more covert scan.

A UDP scan differs fundamentally because it operates on a connectionless protocol. Rather than relying on handshake behavior, UDP scans involve sending datagrams and analyzing ICMP responses or silence. Because many systems limit ICMP responses and UDP traffic is often filtered, this technique can be slower and less reliable. While it helps identify services running on UDP ports, it does not exploit handshake behavior and has no relation to SYN-style stealth scanning techniques.

A ping sweep uses ICMP echo requests to determine which hosts are online. This technique is valuable for identifying live systems but does not examine port status or manipulate TCP handshakes. It is a host discovery method rather than a port scanning strategy.

SYN scan is the correct answer because it uniquely allows a scanner to evaluate port status without completing the full TCP connection. This reduced interaction makes it harder for security monitoring systems to detect scanning activity. Its combination of speed, detail, and stealth makes it a foundational tool in reconnaissance during penetration testing and ethical hacking.

Question 24 

Which method is most effective at preventing brute-force attacks on password-protected accounts?

A) Complex passwords
B) Account lockout policies
C) Password hashing
D) Port blocking

Answer:B) Account lockout policies

Explanation: 

Complex passwords increase password strength by introducing greater entropy through longer length, a mix of character types, and unpredictable patterns. While complex passwords are fundamental to secure authentication practices, they do not actively stop an attacker from repeatedly attempting to guess the password through automated login attempts. If an attacker attempts online brute-force attacks, complex passwords merely slow the process; the attacker can continue attempting guesses indefinitely unless another security mechanism intervenes. Thus, while valuable, password complexity alone cannot prevent brute-force attacks on active login portals.

Account lockout policies directly address the mechanics of brute-force attacks by limiting the number of consecutive failed login attempts. When a system detects a predefined number of incorrect entries, it temporarily locks the account, preventing further attempts for a specific duration. This mechanism disrupts automated guessing attempts by forcing delays and preventing attackers from continuously cycling through possible passwords. Even high-powered automated tools become ineffective because the account becomes unavailable after only a few attempts. This significantly raises the cost and reduces the feasibility of brute-force attacks on live systems. Lockout policies also alert administrators to suspicious activity and can be tuned based on security requirements.

Password hashing is essential for protecting stored passwords. When a database is compromised, hashing ensures that raw passwords cannot be easily retrieved. Even if the attacker gains access to hashed values, strong hashing algorithms make recovery extremely difficult. However, password hashing does not protect against online brute-force attacks, where the attacker interacts directly with the authentication interface. The hashing function operates internally on the server and does nothing to limit the attacker’s ability to submit repeated guesses, making it unrelated to stopping brute-force attempts on active accounts.

Port blocking prevents access to specific network services by restricting entry points. While useful in reducing attack surfaces, it cannot prevent brute-force attacks on login interfaces that remain accessible. Blocking an unrelated port does nothing to protect against repeated password attempts on an active service such as SSH, RDP, or a web login page.

Account lockout policies are the correct answer because they directly stop brute-force attacks by limiting the number of attempts an attacker can make. This control breaks the attack cycle and forces attackers to use alternative, less direct methods, thereby strengthening overall account security.

Question 25 

Which vulnerability allows attackers to inject malicious scripts into web pages viewed by other users?

A) SQL injection
B) Cross-site scripting
C) ARP poisoning
D) Buffer overflow

Answer:B) Cross-site scripting

Explanation: 

SQL injection is a serious web application vulnerability that allows attackers to manipulate database queries by inserting malicious SQL statements into input fields. While SQL injection can lead to unauthorized data access, modification, or deletion, it does not involve injecting content into web pages viewed by other users. Instead, it exploits server-side database interactions, making it unrelated to client-side script injection intended for other users.

Cross-site scripting, however, is explicitly designed to inject malicious scripts into web pages so that they execute in the browsers of other users. XSS occurs when input fields or URL parameters fail to sanitize user-supplied content. When this content is later reflected or stored and delivered to other users, their browsers process the malicious script as if it were legitimate page content. This allows attackers to steal cookies, session tokens, input data, or even perform unauthorized actions on behalf of users. XSS attacks are highly dangerous because they exploit trust relationships between a user’s browser and a legitimate website. The injected scripts run within the security context of the website, enabling attacks that bypass traditional server-side cybersecurity controls. XSS is widely used in phishing-style attacks, session hijacking, and website defacement.

ARP poisoning is a network-level attack targeting local networks, not web applications. It operates by sending falsified ARP messages to a network segment, causing devices to update their ARP tables incorrectly. This redirects traffic through the attacker’s device, enabling man-in-the-middle attacks. ARP poisoning does not inject scripts into web pages and has nothing to do with browser-based vulnerabilities.

Buffer overflow occurs when a program writes more data to a buffer than it can store, causing adjacent memory locations to be overwritten. This can allow attackers to execute arbitrary code or crash the application. While buffer overflows pose significant security risks, they do not involve injecting scripts into web pages viewed by others. Their purpose is system exploitation, not cross-user content manipulation.

Cross-site scripting is the correct answer because it uniquely allows attackers to inject and execute malicious scripts within the browsers of unsuspecting users. By exploiting insufficient input validation and output encoding, attackers can manipulate web content delivered to multiple users, making XSS one of the most prevalent and dangerous vulnerabilities in modern web applications.

Question 26 

Which method allows attackers to discover hidden directories on a web server?

A) Directory traversal
B) Directory brute force
C) Cross-site request forgery
D) Sniffing

Answer:B) Directory brute force

Explanation: 

Directory traversal is an attack technique that manipulates input paths to access files or directories outside the intended web application scope. By using sequences such as “../”, attackers attempt to reach sensitive files like configuration files, logs, or system files. While directory traversal is effective for unauthorized file access, it is not specifically intended to discover hidden directories on a web server. Instead, it focuses on exploiting weaknesses in input validation to escape restricted directories.

Directory brute force, however, is a targeted enumeration method used to uncover hidden or unlisted directories on a web server. Attackers use automated tools such as DirBuster, Gobuster, or Dirsearch to systematically test thousands of potential directory names. These tests generate HTTP requests to see which paths return valid responses, such as 200 OK or 403 Forbidden. By analyzing these responses, attackers can identify administrative interfaces, backup folders, development files, or misconfigured directories not meant to be publicly accessible. This technique is essential during the reconnaissance phase of web application penetration testing because it reveals the server’s structure and uncovers areas that may contain vulnerabilities. Hidden directories often expose sensitive resources, old versions of applications, or misconfigured files.

Cross-site request forgery is an entirely different type of attack that forces authenticated users to perform actions without their consent. CSRF operates by exploiting the trust a website places in a user’s browser, but it does not provide any mechanism for discovering hidden directories. It involves unauthorized action, not reconnaissance.

Sniffing captures network traffic by intercepting packets on the network. Although sniffing can reveal transmitted data, it does not interact with a web server’s directory structure. Sniffing is used for authentication credential interception, session hijacking attempts, or protocol analysis, not directory discovery.

Directory brute force is the correct answer because it is specifically designed to enumerate and reveal hidden directories that are not publicly listed or exposed through visible navigation. By systematically testing potential directory names, attackers uncover structural information about the web server, enabling deeper penetration testing and vulnerability discovery.

Question 27 

Which attack occurs when an attacker manipulates ARP tables to redirect traffic to themselves?

A) DDoS
B) ARP spoofing
C) Phishing
D) SQL injection

Answer:B) ARP spoofing

Explanation: 

A DDoS attack involves sending overwhelming amounts of traffic or resource requests to a target system or network in an attempt to disrupt normal service. While extremely damaging, DDoS attacks do not manipulate network tables such as the ARP cache. Their objective is to exhaust resources—bandwidth, CPU, or memory—rather than alter the flow of network traffic through deception.

ARP spoofing is a network attack that directly manipulates ARP tables by sending crafted ARP replies to devices on a local network. In this attack, the attacker associates their own MAC address with the IP address of another device, such as a gateway or server. When victims update their ARP caches with this falsified information, they begin sending traffic intended for the legitimate device to the attacker instead. This enables interception, packet modification, credential theft, or traffic redirection. Because ARP operates without authentication, attackers can freely inject forged ARP messages, making ARP spoofing one of the core techniques used in local network attacks and man-in-the-middle scenarios.

Phishing operates entirely through social engineering, using deceptive messages to trick victims into revealing credentials or other sensitive information. It does not involve network-level manipulation, packet redirection, or ARP table modification. Phishing is about psychological manipulation, not technical exploitation of local network protocols.

SQL injection is a web application attack where malicious SQL commands are injected into database queries. SQL injection focuses on server-side database manipulation, data extraction, and privilege escalation—not network-level operations. Database queries and ARP traffic are unrelated, making SQL injection irrelevant to ARP spoofing.

ARP spoofing is the correct answer because it directly alters ARP tables to reroute traffic. This manipulation allows attackers to insert themselves into network communications, facilitating eavesdropping, data modification, or session hijacking. Its simplicity and effectiveness make it a widely used tactic in penetration testing and network attacks.

Question 28 

Which technique is used to evade antivirus detection by altering the malware’s code without changing its functionality?

A) Polymorphism
B) Phishing
C) Brute-force attack
D) Packet sniffing

Answer: A) Polymorphism

Explanation: 

Polymorphism is a sophisticated technique used by malware to evade detection by signature-based antivirus systems. Each time the malware infects a new system or replicates itself, it modifies its code structure while preserving its underlying functionality. This is typically achieved through encryption, code obfuscation, or the use of mutating algorithms. Because signature-based antivirus tools rely on identifying known code patterns, polymorphic malware can avoid detection by presenting a unique signature with each iteration. Despite these changes, the malware’s behavior and purpose remain intact. Polymorphism allows attackers to distribute malware widely without it being easily recognized or blocked, making it especially effective for long-term infections, ransomware campaigns, and large-scale malicious operations.

Phishing, while dangerous, focuses on deceiving users into revealing personal information, clicking malicious links, or downloading harmful attachments. Phishing attacks depend on social engineering, not code alteration. They do not involve modifying malware structure or evading antivirus detection through technical polymorphism.

Brute-force attacks attempt to guess passwords or encryption keys by trying large numbers of possible combinations. This technique targets authentication systems rather than antivirus detection mechanisms. Brute-force attacks do not involve malware code manipulation or evasion strategies.

Packet sniffing captures and analyzes data packets as they traverse a network. While useful for attackers attempting to gather sensitive information, packet sniffing does not modify malware code nor help evade antivirus tools. Its function is passive observation rather than evasion.

Polymorphism is the correct answer because it uniquely focuses on altering the appearance of malware while retaining its behavior. This deliberate modification makes signature-based detection ineffective, forcing security tools to rely on heuristic or behavioral analysis instead. Polymorphic malware remains one of the most challenging threats for traditional antivirus solutions.

Question 29 

Which network service discovery tool can identify live hosts and open ports?

A) Wireshark
B) Nmap
C) Netcat
D) Nessus

Answer:B) Nmap

Explanation: 

Wireshark is a powerful network analysis tool that captures and inspects traffic in real time. It allows users to analyze packet contents, identify communication patterns, and troubleshoot network issues. However, Wireshark does not actively scan for live hosts or open ports. It can reveal activity from existing communication but cannot initiate discovery scans or enumerate services.

Nmap is specifically engineered for network discovery, host identification, and port scanning. It sends crafted packets to target systems and analyzes their responses to determine which hosts are active, which ports are open, and what services are running. Nmap can also perform OS fingerprinting, version detection, script-based scanning, and vulnerability detection through its NSE scripting engine. Its ability to combine speed, flexibility, and detail makes it the most widely used tool for reconnaissance in penetration testing and network auditing. Nmap identifies hosts by sending packets such as ICMP echo requests, SYN packets, or ARP requests, depending on the scan type and network configuration. It then interprets the responses to construct a comprehensive picture of the network environment.

Netcat, often described as a “Swiss Army knife” for networking, can establish connections, send or receive data, or listen on ports. While extremely versatile, it does not provide automated discovery features such as scanning ranges of IPs or probing ports across multiple hosts. Its purpose is interaction, not enumeration.

Nessus is a vulnerability scanner designed to assess systems for known weaknesses, misconfigurations, and outdated software. While Nessus may perform host discovery as a preliminary step, it is not specialized for lightweight scanning or network reconnaissance. Its focus is deep vulnerability assessment rather than identifying hosts and open services quickly.

Nmap is the correct answer because it excels at discovering live hosts and enumerating open ports. Its scanning capabilities form the foundation of many security assessments, making it indispensable for penetration testers and network administrators.

Question 30 

Which attack can capture authentication credentials by exploiting weaknesses in the WEP protocol?

A) WPA2 handshake attack
B) WEP cracking
C) Evil twin
D) MITM

Answer:B) WEP cracking

Explanation: 

A WPA2 handshake attack targets the WPA2 protocol by capturing the four-way handshake used when a client connects to a wireless network. Attackers typically use this technique to perform offline dictionary or brute-force attacks on the captured handshake. While effective against weak passwords, it does not exploit vulnerabilities in the WEP protocol and therefore is unrelated to weaknesses specific to WEP encryption mechanisms.

WEP cracking directly targets the weaknesses inherent in the Wired Equivalent Privacy (WEP) protocol. WEP uses the RC4 stream cipher along with a 24-bit IV (Initialization Vector), which is too small and leads to IV reuse. When enough packets are captured, attackers can analyze repeated IV patterns and derive the WEP key. Tools such as Aircrack-ng automate this process by capturing large numbers of packets and identifying statistical weaknesses in the encryption. Because WEP does not properly protect against IV collisions and relies on predictable key scheduling, recovery of the encryption key becomes trivial once sufficient data is collected. This enables attackers to decrypt traffic, access the network, and intercept sensitive information. WEP cracking is one of the earliest and most well-known wireless security attacks due to the protocol’s widely recognized design flaws.

An evil twin attack involves creating a rogue access point that mimics a legitimate one to trick users into connecting. This enables interception of traffic but does not exploit encryption weaknesses. Evil twin attacks rely on deception and signal manipulation rather than breaking WEP keys or analyzing IVs.

A MITM attack intercepts communication between two systems, allowing the attacker to view, modify, or redirect traffic. While MITM can be used after WEP is cracked, it does not inherently exploit WEP vulnerabilities. MITM is a broader category of attacks and does not directly address the fundamental weaknesses in WEP encryption.

WEP cracking is the correct answer because it specifically targets the flawed encryption design of the WEP protocol. By exploiting predictable IV behavior and weak key management, attackers can recover the encryption key and gain unauthorized access to wireless networks.

Question 31 

Which type of attack exploits trust relationships between different sites or applications in a browser?

A) Cross-site request forgery
B) SQL injection
C) ARP spoofing
D) Directory traversal

Answer: A) Cross-site request forgery

Explanation: 

Cross-site request forgery involves manipulating a user’s authenticated browser session to send unintended requests to a trusted website. It relies on the target site trusting the user’s browser because it contains legitimate cookies or tokens. When a victim unknowingly loads a malicious webpage or interacts with an attacker-controlled element, the browser automatically includes authentication data in the request, allowing actions such as form submission, profile modification, or transaction execution without the user’s intent. This technique hinges on exploiting the trust between a site and a legitimate authenticated session rather than exploiting flaws in the application directly.

SQL injection focuses on injecting malicious SQL statements through vulnerable input mechanisms in order to manipulate backend databases. It affects how databases interpret user-supplied data, but it does not exploit inter-site trust relationships or browser-based authentication exchange. Its goal is to manipulate data, access unauthorized records, or bypass authentication mechanisms within a single application rather than across trusted sites.

ARP spoofing, on the other hand, is a network-level attack where an attacker sends falsified Address Resolution Protocol messages on a local network to associate their MAC address with the IP address of another device. While dangerous, this attack manipulates LAN traffic and enables man-in-the-middle interception, not browser-level trust exploitation. It does not involve session cookies, authenticated requests, or cross-site interactions within a web environment.

Directory traversal focuses on gaining access to restricted directories by exploiting improper input sanitization. It allows attackers to navigate to file paths outside intended boundaries using crafted characters such as “../”. Although harmful for exposing sensitive server files, this attack does not involve multi-site trust dependencies or force a user’s browser to issue unintended authorized commands.

Cross-site request forgery is correct because it is uniquely centered on exploiting the browser’s inherent trust model and pre-established authentication tokens. By tricking the user’s browser into executing unintended actions on a trusted website, the attacker bypasses direct access to the system and instead leverages the victim’s valid session. This makes it particularly dangerous, as it does not require the attacker to breach authentication mechanisms themselves. Instead, it manipulates the victim to unwittingly perform actions that the application interprets as legitimate. The attack operates silently, often without the victim perceiving any malicious activity, and it demonstrates the security risks arising from implicit trust relationships between applications and authenticated browsers. This reliance on session information and implicit trust is what makes cross-site request forgery the most appropriate answer.

Question 32 

Which scanning method analyzes vulnerabilities without directly interacting with the target system?

A) Passive scanning
B) Active scanning
C) Credentialed scanning
D) Brute-force scanning

Answer: A) Passive scanning

Explanation: 

Passive scanning focuses on gathering data by quietly observing communication patterns, network behavior, and publicly accessible information without interacting with the target system. It analyzes network packets, configurations, or broadcast messages as they naturally appear in the environment. Because it does not send probes or generate traffic aimed at the target, it remains difficult to detect and is ideal for stealth reconnaissance. Its strength lies in its ability to reveal network structures, active hosts, service banners, or potential vulnerabilities while maintaining complete invisibility. This makes it well suited for adversaries performing early-stage intelligence gathering or defenders conducting low-impact assessments.

Active scanning, by contrast, deliberately interacts with the target by sending packets, probes, or requests to identify open ports, active services, or vulnerabilities. Tools performing this method generate measurable traffic, making them discoverable by intrusion detection systems. Although highly effective and comprehensive, active scanning clearly does not match the requirement of avoiding direct interaction. It is used when thorough analysis is required, accepting the trade-off of increased detectability.

Credentialed scanning utilizes authenticated access to perform deeper inspections of system configurations, software versions, and patch status. Because it requires valid credentials, it interacts intensely with the target system, running commands, retrieving files, or analyzing internal components that passive scanning cannot access. Its purpose is accuracy and depth rather than stealth, making it unsuitable as an interaction-free method.

Brute-force scanning involves repeatedly attempting various password combinations or inputs to discover valid authentication credentials. Such activity generates substantial traffic and is noisy by design. It directly engages the target’s authentication mechanisms, making it extremely detectable. Its purpose is credential discovery, not stealth information monitoring.

Passive scanning is correct because it alone gathers intelligence without directly engaging or altering the target system in any way. It operates purely as an observer, leveraging naturally occurring network data to assess potential vulnerabilities. This method supports reconnaissance activities where stealth is critical, offering insight into open ports, device types, or communication patterns without risking detection. Its emphasis on non-intrusive intelligence collection aligns precisely with the definition provided in the question.

Question 33 

Which technique can be used to identify the operating system of a target host remotely?

A) OS fingerprinting
B) Packet sniffing
C) Phishing
D) SQL injection

Answer: A) OS fingerprinting

Explanation: 

OS fingerprinting examines characteristics of network responses from a target system to deduce its underlying operating system. It analyzes fields such as TCP initial sequence numbers, TTL values, window sizes, error messages, and responses to specially crafted packets. Because operating systems implement network protocols differently, these subtle variations can reveal whether a host is running Windows, Linux, macOS, or another system. This method facilitates reconnaissance by helping attackers choose appropriate payloads or exploitation techniques tailored to the target environment. It is widely used in penetration testing tools that assess network exposure and device diversity.

Packet sniffing captures network traffic as it flows across a network segment. While sniffing may reveal useful information such as protocols, services, or application data, it does not inherently identify an operating system. Only when paired with further analysis or correlating known patterns might it provide hints, but this is indirect and unreliable. Its purpose is data collection rather than active OS determination.

Phishing is a social engineering strategy that deceives users into providing sensitive information by presenting fraudulent messages or websites. It manipulates human behavior rather than analyzing network characteristics. It is entirely unrelated to technical OS identification and does not collect system signatures or protocol responses. Its domain is psychological manipulation, not system profiling.

SQL injection targets backend databases by introducing malicious SQL commands into vulnerable input fields. It compromises applications relying on database interactions, granting unauthorized access or data extraction. SQL injection does not interact with the networking stack or reveal information about a system’s operating system. It is an application-layer attack rather than an OS discovery technique.

OS fingerprinting is correct because it is specifically designed to determine the operating system of a remote host through systematic analysis of protocol implementation details. By identifying the OS, security testers can understand the environment, assess compatibility of attack vectors, and prioritize vulnerabilities linked to specific platforms. This method supports both defensive and offensive operations by offering essential insights into system architecture without requiring authentication or direct access. Its precision and relevance to operating system discovery make it the only accurate choice among the listed techniques.

Question 34 

Which encryption method uses the same key for both encryption and decryption?

A) Symmetric encryption
B) Asymmetric encryption
C) Hashing
D) Digital signature

Answer: A) Symmetric encryption

Explanation: 

Symmetric encryption relies on a single shared key for both encrypting and decrypting information. Because the same key must be securely distributed to all authorized parties, key management becomes a central challenge. Despite this, symmetric encryption is valued for its speed, efficiency, and suitability for encrypting large amounts of data. It is commonly used for data at rest, real-time communications, and high-performance systems. Techniques such as AES and DES fall within this category, demonstrating how symmetric systems prioritize performance while depending on trustworthy key exchange mechanisms.

Asymmetric encryption differs by using a mathematically related key pair consisting of a public key and a private key. The public key encrypts data, while the private key decrypts it. This arrangement eliminates the need to share a secret key and supports secure communication over untrusted channels. However, it is computationally slower than symmetric encryption, making it more suitable for exchanging session keys, authentication, and digital signatures rather than encrypting large data volumes directly.

Hashing transforms data into a fixed-length value called a hash, which cannot be reversed to retrieve the original data. It verifies integrity but does not provide confidentiality. Hashing algorithms such as SHA-256 confirm whether data has been altered, but they do not encrypt or decrypt information and therefore do not use any kind of key shared or otherwise.

Digital signatures combine hashing with asymmetric encryption to validate the authenticity and integrity of messages. The sender signs the hash of a message with a private key, and the recipient verifies it with the corresponding public key. This process ensures trust and non-repudiation but does not rely on a single shared key. It is primarily a verification mechanism rather than a symmetric cryptographic process.

Symmetric encryption is correct because it uniquely employs a single secret key for both encryption and decryption. Its reliance on shared secrets means it demands careful handling of key distribution, but its speed and simplicity make it fundamental to modern cryptographic systems. No other choice listed matches the requirement of using the same key for both cryptographic functions, making symmetric encryption the accurate answer.

Question 35 

Which attack targets wireless networks by sending continuous noise to disrupt communication?

A) Jamming
B) War driving
C) Evil twin
D) WPA2 handshake attack

Answer: A) Jamming

Explanation: 

Jamming intentionally emits continuous interference or noise on wireless frequencies to disrupt communication between devices. By overwhelming the signal spectrum, it prevents legitimate users from transmitting or receiving data. This causes a denial of service, making the network unusable within the affected range. Jamming can vary from broad-spectrum interference to highly targeted frequency disruption, depending on the attacker’s equipment. The goal is not to steal information but to render wireless communication impossible, affecting availability and potentially masking other malicious activities.

War driving involves scanning for wireless networks by moving through areas with a device equipped to detect Wi-Fi signals. Although war driving can map out vulnerable networks, gather SSIDs, and locate unsecured access points, it does not interfere with communications. Its focus is on discovery and cataloging rather than disruption.

Evil twin attacks create rogue access points that mimic legitimate ones. The attacker entices users to connect, enabling interception of data such as credentials. While dangerous, this attack is subtle and deceptive rather than disruptive. It relies on tricking users into joining a malicious network, not blocking communication through noise or signal interference.

A WPA2 handshake attack captures the handshake packets exchanged when a device authenticates with a network. Attackers use these captured packets offline to attempt password cracking. This method does not disrupt ongoing communications and does not involve interfering with signals. It is a passive interception technique rather than an active disruption strategy.

Jamming is correct because it directly impacts the availability of wireless communication by flooding the spectrum with interference. Unlike reconnaissance or interception techniques, jamming has the singular purpose of denying access to wireless services. It represents an attack on a network’s operational capacity, making it uniquely aligned with the description of sending continuous noise to disrupt communication.

Question 36 

Which type of firewall maintains connection states and filters packets based on session context?

A) Packet-filtering firewall
B) Stateful firewall
C) Proxy firewall
D) Circuit-level gateway

Answer:B) Stateful firewall

Explanation: 

A stateful firewall tracks the state of active connections and makes filtering decisions based on context such as session initiation, ongoing communication patterns, and expected traffic flows. It maintains a state table that records details about each connection, allowing it to determine whether a packet belongs to an existing session or represents potentially malicious activity. By combining packet inspection with session awareness, it offers enhanced security and reduces false positives. Stateful firewalls evaluate factors such as TCP handshake completeness, packet sequence, and session legitimacy.

A packet-filtering firewall examines individual packets at the network layer based on predefined criteria such as IP addresses, ports, and protocols. While efficient, it lacks awareness of ongoing sessions. It cannot determine whether a packet belongs to an existing connection or whether it is part of an attack mimicking legitimate traffic. Its simplicity makes it faster but less secure than stateful mechanisms.

A proxy firewall acts at the application layer, serving as an intermediary between clients and external servers. It evaluates traffic content, ensuring requests and responses are valid at the application protocol level. Although powerful for content filtering, it does not primarily maintain connection state in the same manner as a stateful firewall. Its emphasis is on deep inspection rather than session tracking.

A circuit-level gateway operates at the transport layer and monitors connection establishment but does not inspect packet content in detail. It focuses on ensuring proper handshakes and maintaining session-level rules. However, it lacks the robust state tracking and packet context analysis found in stateful firewalls.

A stateful firewall is correct because it uniquely combines packet filtering with detailed session awareness, enabling more accurate decisions based on the broader context of network communication.

Question 37 

Which attack takes advantage of weak input validation to gain unauthorized access to a system?

A) SQL injection
B) Cross-site scripting
C) DNS spoofing
D) DDoS

Answer: A) SQL injection

Explanation:

SQL injection manipulates input fields by inserting crafted SQL statements that the backend database executes improperly due to insufficient input validation. When applications fail to sanitize or parameterize user-supplied data, attackers can bypass authentication, extract sensitive data, or modify database contents. This exploit demonstrates how critical proper input handling is, as even a simple login form can become a gateway to unauthorized access if validation is weak. SQL injection remains one of the most dangerous and prevalent application security threats.

Cross-site scripting allows attackers to inject malicious scripts into web pages viewed by other users. While it also involves input manipulation, its primary goal is to execute unauthorized code in a victim’s browser rather than gaining backend system access. It compromises client-side security through session hijacking, credential theft, or malicious redirection. It does not directly exploit input validation to access backend systems but focuses on browser-based manipulation.

DNS spoofing corrupts or falsifies DNS responses to redirect users to malicious websites. It manipulates traffic flows at the network level rather than through application input handling. Its purpose is traffic redirection, phishing, or session interception, not exploiting application input fields.

A DDoS attack overwhelms systems with massive traffic to cause unavailability. It aims to exhaust resources, not gain unauthorized access. It does not rely on input validation flaws but on volume and resource exhaustion techniques.

SQL injection is correct because it explicitly exploits weak input validation mechanisms to manipulate backend database operations and obtain unauthorized access.

Question 38 

Which social engineering technique involves leaving infected USB drives for victims to pick up and connect?

A) Phishing
B) Baiting
C) Pretexting
D) Shoulder surfing

Answer:B) Baiting

Explanation: 

Baiting strategically uses physical or digital items that appear appealing to lure victims into taking an action that compromises security. When an attacker leaves infected USB drives in places where targets are likely to find them, curiosity often leads victims to plug the device into their computers. Once connected, the USB executes malware or opens backdoors. Baiting relies on human behavior, particularly temptation, curiosity, or desire for free items. It bridges social engineering and physical attack vectors by using tangible media to initiate compromise.

Phishing leverages deceptive communication such as emails or messages to trick victims into revealing credentials or clicking malicious links. Unlike baiting, phishing does not require physical objects or abandoned items. It manipulates perceptions through digital communication, not through enticing objects waiting to be discovered.

Pretexting fabricates a believable scenario or identity to extract information from victims. It involves impersonation, storytelling, or authority exploitation. While powerful, it does not employ infected physical items. Instead, it convinces victims to willingly share information through trust manipulation.

Shoulder surfing involves visually observing a victim’s private actions, such as entering a password or PIN. It is observational and does not include the use of physical media or enticing bait.

Baiting is correct because it uniquely combines social engineering manipulation with physical objects designed to deliver malware once interacted with.

Question 39 

Which wireless security protocol replaced WEP and is more secure?

A) WPA2
B) WPA
C) WPS
D) TKIP

Answer: A) WPA2

Explanation:

WPA2 was introduced as a significant improvement over WEP and WPA, providing stronger encryption through the AES-based CCMP algorithm. It corrected vulnerabilities in earlier standards and became the industry’s recommended wireless security protocol. Its enhanced integrity and confidentiality protections make it substantially more secure than WEP and more resilient than WPA’s transitional mechanisms.

WPA improved upon WEP by introducing TKIP to strengthen encryption. However, TKIP was designed as a temporary solution and retained weaknesses that made it less secure than WPA2. WPA remained vulnerable to various attacks and lacked the robustness of modern encryption techniques.

WPS was developed as a convenience feature intended to simplify device connection to wireless networks. However, its PIN-based mechanism introduced significant vulnerabilities that attackers could exploit through brute-force methods. WPS does not replace WEP, nor does it serve as a full wireless security protocol.

TKIP, used in WPA, attempted to enhance WEP encryption but ultimately proved insufficient in modern threat environments. It was intended as an interim security measure and does not match the strength of AES-based encryption.

WPA2 is correct because it replaced earlier standards with significantly improved security mechanisms and remains widely implemented as the secure default.

Question 40 

Which network device can separate a network into multiple segments to reduce broadcast traffic and enhance security?

A) Hub
B) Switch
C) Router
D) Firewall

Answer:C) Router

Explanation: 

A router operates at Layer 3 and creates separate broadcast domains by connecting different network segments. By controlling how traffic flows between these segments, routers reduce unnecessary broadcast traffic and enhance overall security. They also support routing policies, access control lists, and segmentation strategies that limit exposure between internal networks. Routers form the backbone of inter-network communication and offer both performance and security benefits.

A hub broadcasts all incoming traffic to every connected device. It does not separate broadcast domains or offer any security. Its simplicity makes it obsolete in modern networks.

A switch forwards traffic only to the appropriate destination port within the same local network segment. Although this reduces internal traffic and enhances efficiency, switches do not divide broadcast domains unless using VLANs, and even then, routing is needed between VLANs.

A firewall enforces traffic policies but does not inherently separate broadcast domains unless it includes routing functionality. Its primary role is filtering, not segmentation.

A router is correct because it uniquely supports true network segmentation, reduces broadcast traffic, and introduces security controls between distinct networks.